Cerber Ransomware version 2 Released, Uses .Cerber2 Extension

A new variant of the Cerber Ransomware was discovered by panicall, a security researcher for Trend Micro, that has some significant changes in how it was programmed. Cerber Ransomware version 2 contains numerous internal changes as well as changes that will be apparent to the victim.

Noticeable Changes in Cerber v2

For the victim, the most apparent change will be that encrypted files will now have the .Cerber2 extension rather than the previously used .Cerber.

Cerber2 Encrypted Files

The installers that I have seen so far for the Cerber2 variant have been using an icon from the children's game called Anka. This will most likely change relatively soon.

Cerber / Anka Icon

The wallpaper has also been changed to a new background that looks like a pixelated screen as shown below. This wallpaper will state "Your documents, photos, databases, and other important files have been encrypted!".

Caption

Last, but not least, this version removes the weakness that allowed Trend Micro's Cerber Decryptor to possibly decrypt encrypted files.

Internal Changes to Cerber version 2

Internally a lot has changed with Cerber version 2. According to Panicall, the first change is that the ransomware now uses a packer to make it harder to detect and analyze.

It also changed the encryption to now use the Microsoft API CryptGenRandom to generate the key. Furthermore, the key being generated is 32 bytes rather than the 16 bytes use in previous versions. These changes make it so that Trend's Cerber Decryptor is not able to decrypt this version's encrypted files.

A portion of the current Cerber version 2 config extracted by Panicall is below. A full version can be found here. Thanks to Brendon Feeley for sharing the link.

Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Comments

My computer is infected by this CERBER2, last night i'm not sure if it's from torrent sites or from youtube. All my files are encrypted including dll files. System gets hangs and at times drive seems to be missing.
I formatted system which stopped system hang &amp; drive missing errors but files still encrypted.
Is there any solution for decryption of files.
Please help when anyone finds a solution.

I have the Decryptor v2 . My pc was infected with cerber 2 and i pay to get my files back. Write me on email or here ( dra4on_green @ yahoo[.]com ) and i give you the cerber decryptor v2. If works just post here to know everyone .

Hey! Sorry, not working... this is the display message from those who tested my paid decryptor...http://i.epvpimg.com/htWQc.jpg .
Is one solution. If you are noob like me, you have to pay if you want your files back. Good luck!